[LINK] ID theft brings tech to law

Roger Clarke Roger.Clarke at xamax.com.au
Tue Sep 18 10:00:29 AEST 2007 

>On Tue, 2007-09-18 at 06:50 +0800, Bernard Robertson-Dunn wrote:
>>http://www.australianit.news.com.au/story/0,24897,22435327-15306,00.html
>>  "That means someone needs to be acknowledging the strengths and
>>  weaknesses of different and competing technologies. We're seeing a
>>  change of climate around that." The concept of technology neutrality -
>>  which meant legislation was drafted to apply to the handling of
>>  information in any context - was past its use-by date, Mr Wilson said.

At 9:16 +1000 18/9/07, Karl Auer wrote:
>I'd like to see a concrete example, where the technology itself is
>relevant to its misuse. Can't think of one off the top of my head. It
>seems to me that "passing off" whether a product or am identity, can be
>clearly enough defined to make identity theft and the preparation for
>identity theft illegal, without needing to specify any specific
>technologies at all.

These are musings rather than direct engagement with Karl's argument:

Firstly, let's get the expression 'identity theft' out of the way.

Id theft is a fair description of a phenomenon that occurs (in 
Australia, and indeed everywhere else except perhaps the US) 
extremely rarely.

Id *fraud*, on the other hand, is rampant, and that's the term that 
needs to be used, and a problem that needs to be focussed on.

Secondly, let's always keep squarely in view the fact that the root 
cause of the id fraud epidemic of the last few decades is the utterly 
naive design of the credit-card system.  If we were going to design a 
convenient high-volume payments system, that wouldn't be it.

Karl, I suspect that when we get down to specifics of what 
constitutes id fraud, and preparation for id fraud, some differences 
in language may be needed in different circumstances.

A dumpster diving expedition can be looking for copper pipe and a 
host of other valuable-to-me-not-to-them items, as well as paper 
containing data that can be used for id fraud.

A keystroke logger that targets passwords, or an email-filter that 
parses for credit-card details, is a horse of a different colour. 
But to outlaw keystroke loggers or email-filters would be quite silly.

Can we define the specific actions that are criminal without getting 
down to tin tacks?  And, if we do that, can we avoid 
technology-specific descriptions?

I've been a critic of the UNCITRAL mania for technology neutrality 
for a long time, because I see it as a cop-out by lawyers who don't 
understand technology and who don't want to get their hands dirty.

A working rule that says 'mainly focus on the generic'? - yep, I 
fully support that.  Unpreparedness to look deeper, and regulate at a 
deeper level if the situation warrants it? - nope, not good enough.

Admittedly my focus in the past has been on authentication generally, 
and biometrics especially.  I'm unsure what I think in the id fraud 
area, because I haven't had occasion to get deeply enough inside it.


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list